Why Social Engineering always works :(

tarwine — Wed, 08 Aug 2007 03:09:00 GMT

What is Social Engineering & why should you care?

Social engineering (security) - a definition from Wikipedia:

Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and in most cases the attacker never comes face-to-face with the victim.

Basically it’s applied Used Car Sales tactics to the workplace in order to trick people giving out computer passwords and security codes over the phone, by mail or in person.

Kevin Mitnik who was arguably the most infamous hacker in U.S. history wrote a book called “The Art of Deception” in which he exposes the weakness in human security when people are deceived. The book described on Mitnik’s website state: “he [Mitnik] illustrates just how susceptible even the most locked-down information systems are to a slick con artist impersonating an IRS agent”

It’s really quite easy to bypass security rules, firewalls and policies if a user is authorized to do so as part of their daily job. That’s why we don’t give out passwords. But really all you have to do is ask for a password and people will give it to you if they think you are trying to help them.

How it works: If you want to gain illegal unauthorized access to a computer system, just call up the company in the phone directory, press zero for the operator, and ask for the department of your choice. You then simply ask an employee who answers to give you their user Employee ID, Username and Password using what every angle fits your style. Help Desk & HR are usually often good choices to impersonate.

Why use the phone? It’s easier to conceal our nervous expressions when we lie. We can disguise our voice much easier than we can our countenance. We can do it anonymously without recognition of our true self. And using the phone is much easier than hacking into a network using traditional technological means and methods.

The attacked employee when called will be busy most of the time doing their job and would rather not think about why they are getting a call from you as the supposed Help Desk technician or the local Human Resources Representative, they just want to get back to work. In fact if you like to talk, you can ask about their pets, favorite ball team, and their kids, and see if they don’t open up to you and spill the beans to just about any question you want.

Why? It’s probably because, we naturally trust people on the phone at work. At home we feel someone is always trying to sell us something and are a little more cautious especially with all the news stories on identity theft and phishing scams via email. We have caller block and do not call lists in our house, and we have antivirus, firewall, and phishing filters in our browsers, but there is something magical about a corporate office that gives us a sense of security that our employer screens our calls for us. We don’t feel threatened and we genuinely want to help people in need and especially want to cooperate with those individuals trying to solve a problem for us at work.

So what can you do?

1. ASK QUESTIONS?

If someone phones or appears and asks you for information that you know is confidential company, client or personal information, don’t be afraid to ask them a few questions yourself.

By phone	In Person
Ask for the correct spelling of the caller's name. Ask for a number where you can return the call. Ask why the information is needed. Ask who has authorized the request and let the caller know that you will verify the authorization.	Ask for some identification. Ask who has authorized this request so you may verify the authorization. If you are not authorized to provide that information, offer to locate the correct person. Seek assistance if you are unsure.

Sample questions taken from http://www.nd.gov/itd/security/start/soceng4.htm

2. RECOGNIZE SUSPICIOUS BEHAVIOR

· If you hold a clipboard while talking on a cell phone, people will hold the company doors open for you and let you in almost any building. Remember that Uniforms and Clipboards are cheap.

· Passwords are Personal – Helpdesk should never ask you to give them your password, and if you reset a password with one provided by the helpdesk, change it immediately.

· If you didn’t ask for help – be surprised when someone offers to fix something.

3. RESPOND TO SOCIAL ENGINEERING ATTACKS

Report questionable behavior to Security or Management

Additional Resources:

How to Protect Insiders from Social Engineering Threats (Microsoft)

A Multi-Level Defense Against Social Engineering (SANS)

Other links are available from:

http://www.securityfocus.com/infocus/1527

"Stay Safe" Cyber Security Blog : Social Engineering

Why Social Engineering always works :(